Jump to content
Not connected, Your IP: 34.201.18.139
giganerd

How NSA-Proof Are VPN Providers? - Torrentfreak, 23/10/13

Recommended Posts

How NSA-Proof Are VPN Providers?

​Very interesting article, suggest everyone to read your way through it.


» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

Air VPN is not quoted in the piece, but this comment from another service is interesting.

 

“OpenVPN is the best choice when available on your device. It’s easy to check that your VPN provider is using strong encryption algorithms and keys (like 256bit keys and AES encryption) by looking at the OpenVPN configuration files supplied by your VPN provider. Also it can be configured to use TCP on port 443 which makes it extremely difficult to block as it looks like standard HTTP over SSL traffic.”

 

Is this how Air is set up automatically, or does it require some manual adjustments?

 

Most of those quotee agree that "PPTP" is no longer secure. I'm assuming the Air folks know this?

Share this post


Link to post
Posted ... (edited)

Everyone involved in security questions know that the auth method MSCHAPv2 (uses DES!) of PPTP is vulnerable; this is the ticket into the network. And not only in PPTP: WPA2 with EAP is vulnerable, too, because of it's use of MSCHAPv2.

However, the german Heise Online released a quite long article more than a year ago proving that they could get into their own PPTP-secured VPN with the use of some command line programs (which they needed to edit a bit because of bugs) and an online service specialized on cracking hashes by Moxie Marlinspike, Cloudcracker. It took 38 hours for the service to crack it successfully. Of course, first of all you'd need to capture the whole auth process to get the submission string for the service which will generate you the NTHASH for logging into the network.

To be paranoid: Connect this to the NSA. PPTP as a whole, especially MSCHAPv2, is Microsoft's work. And OpenVPN is open source and supports way better auth methods. There's your reason.

Edited ... by gigan3rd

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

Air VPN is not quoted in the piece, but this comment from another service is interesting.

 

“OpenVPN is the best choice when available on your device. It’s easy to check that your VPN provider is using strong encryption algorithms and keys (like 256bit keys and AES encryption) by looking at the OpenVPN configuration files supplied by your VPN provider. Also it can be configured to use TCP on port 443 which makes it extremely difficult to block as it looks like standard HTTP over SSL traffic.”

 

Is this how Air is set up automatically, or does it require some manual adjustments?

 

https://airvpn.org/topic/9949-us-and-uk-spy-agencies-defeat-privacy-and-security-on-the-internet/

 

Most of those quotee agree that "PPTP" is no longer secure. I'm assuming the Air folks know this?

 

Yes, they do not use it.

Share this post


Link to post

Air VPN is not quoted in the piece, but this comment from another service is interesting.

 

“OpenVPN is the best choice when available on your device. It’s easy to check that your VPN provider is using strong encryption algorithms and keys (like 256bit keys and AES encryption) by looking at the OpenVPN configuration files supplied by your VPN provider. Also it can be configured to use TCP on port 443 which makes it extremely difficult to block as it looks like standard HTTP over SSL traffic.

 

Hello!

 

First of all, it's important to note that the sentence in bold is totally wrong, and it's strange that a VPN provider claims that (maybe it's just a misunderstanding with TorrentFreak).

 

It would be GREAT if it was true, but it isn't. OpenVPN traffic to port 443 TCP is profoundly different from "standard http over SSL" traffic. One of the differences is that OpenVPN performs a packet wrapping with some important additional data (for packets re-ordering etc.) which makes the OpenVPN traffic discriminable from https or pure SSL/TLS through Stateful or Deep Packet Inspection. That's why it's possible to easily discern the typical OpenVPN traffic "fingerprint" and block it, like they do in China, and that's why we offer OpenVPN over SSL. We wish to underline that, because otherwise you could think that we're "stupid" to provide OpenVPN over SSL or SSH with the purpose to bypass OpenVPN disruptions in China and Iran.

 

Encapsulating OpenVPN traffic into http by default would be a major breakthrough (at the expense of an important performance hit, probably) which is being discussed for possible implementation in the next paramount release, OpenVPN 3, which might see the light in 2015. However, there are important problems to be considered for this implementation, so it is uncertain whether it will be supported in OpenVPN 3 or not.

 

Is this how Air is set up automatically, or does it require some manual adjustments?

 

We provide to option to connect to ports 53, 80, 443 and 2018, all of which with protocols TCP and UDP, according to your preferences.

 

We also provide the option to connect OpenVPN over SSH to ports 22, 80 and 53 (only TCP, obviously) and OpenVPN over SSL to port 443 TCP.

 

Most of those quotee agree that "PPTP" is no longer secure. I'm assuming the Air folks know this?

 

PPTP has been discarded even before the official birth of AirVPN. We have never supported it and we will most probably never support it. IPsec has been discarded as well, although for very different reasons.

 

Kind regards

Share this post


Link to post

I read the the above article from TorrentFreak and although much of this I have read before, one thing here was different. I never thought about a way around a gag order till reading this:

 

“Knowing whether or not a company has been compromised by a national security letter is deceptively simple. All you have to do is ask. Right now, I can confidently say that VikingVPN has not been served a National Security Letter. Feel free to ask me again later. If I don’t reply at some point in the future when you ask me, then you’ll know. See how easy that was?”

“The reason this works is that the Govt. cannot compel you to lie, but they can (apparently) compel you to remain silent. I would actually argue that the national security letters, and indeed the entire PRISM/XKeyScore system are illegal and unconstitutional, but obviously I don’t sit on the FISA court or Supreme Court, so my opinion holds little weight.”

 

So, I will ask. Has AirVPN ever received a Gag Order or is AirVPN currently under any type of Gag Order?

 

Not sure how the law is in the EU. But also in the US you are not supposed to be able to be forced to reveal something you know either (IE: as password), by this has been ignored in the past. When dealing with NSA, FBI, CIA, etc, who knows what rights anyone really has in the US or elsewhere.

 

Regards,

 

Bubbba

Share this post


Link to post

 

So, I will ask. Has AirVPN ever received a Gag Order or is AirVPN currently under any type of Gag Order?

 

Hello!

 

No, not at all. The answer is "no" to both questions.

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...